Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Using Github Deploy Key

What / Why

Deploy key is a SSH key set in your repo to grant client read-only (as well as r/w, if you want) access to your repo.

As the name says, its primary function is to be used in the deploy process in replace of username/password, where only read access is needed. Therefore keep the repo safe from the attack, in case the server side is fallen.

How to

  1. Generate a ssh key

    run ssh-keygen -t rsa -b 4096 -C "{email}", leave the password empty as you want the deploy process keyboard-less.

    after the generation, file id_rsa and id_rsa.pub can be found under .ssh folder.

  2. add ssh key to repo's "Deploy keys" setting

    cat .ssh/id_rsa.pub

    URL: https://github.com/{user}/{repo}/settings/keys

  3. Setup the git ssh key on the client machine

    Git normally use the ssh key found in .ssh/id_rsa under user's home folder, so first you need to find out the home directory of the user.

    for example, on Ubuntu/Debian, in default, user www-data's home directory is /var/www, so the ssh key file is /var/www/.ssh/id_rsa).

    Then copy the id_rsa file from Step 1 to the right directory.

    You can test the connection by:

    sudo -u {user} ssh -T git@github.com

    *You might need to grant Github's key to known hosts.

    If everything went well, you can see:

    Hi {user}! You've successfully authenticated, but GitHub does not provide shell access.
    

    Then you are all set!

    Attention: make sure your repo url use git protocol not http, which means use

    git@github.com:{user}/{repo}.git
    

    not

    https://github.com/{user}/{repo}.git
    

*Using multiple deploy key with different repo on the same machine

You can use /.ssh/config file to config different ssh key for different repo. For detail, please follow the instruction in Ref.3 below.

Reference

  1. Read-only deploy keys

  2. Generating SSH keys

  3. Using Multiple Github Deploy Keys for a Single User on a Single Linux Server

@zhujunsan

This comment has been minimized.

Copy link
Owner Author

@zhujunsan zhujunsan commented Oct 14, 2015

You might wanna use this for www-data

sudo  mkdir /var/www           
sudo chown -R www-data:www-data /var/www/
sudo -u www-data ssh-keygen -t rsa -b 4096 -C "{hostname}"
@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Jan 16, 2017

Typo: id_rsa ( not id_ras )

  1. add ssh key to repo's "Deploy keys" setting
    cat .ssh/id_ras.pub

should be

cat .ssh/id_rsa.pub

@doublesharp

This comment has been minimized.

Copy link

@doublesharp doublesharp commented May 6, 2017

Hi - I needed to use multiple SSH deploy keys on a single server with Jenkins and used the link in #3 as a reference. Unfortunately it does contain some errors as well as broken formatting that make it a bit hard to follow, so I wrote a blog post as a reference for myself. If it's useful to anyone else you can see it here: https://www.justinsilver.com/technology/github-multiple-repository-ssh-deploy-keys/

@dealsumm

This comment has been minimized.

Copy link

@dealsumm dealsumm commented May 2, 2018

If you are using multiple Github Deploy Keys and SSH seems to be offering the wrong key, you may need to add the identity first.

ssh-add ~/.ssh/id_name_of_my_rsa_key

source: https://serverfault.com/a/825853

@onlineth

This comment has been minimized.

Copy link

@onlineth onlineth commented Jan 8, 2019

You should consider changing cat .ssh/id_ras.pub to cat ~/.ssh/id_rsa.pub because the "rsa" typo and if someone is in a different directory when running these commands.

@f055

This comment has been minimized.

Copy link

@f055 f055 commented Mar 27, 2019

If during a single ssh session you add two deploy keys using ssh-add, then git clone and presumably other commands only read the first one – meaning you can get the weird repository not found errors, even though keys were correctly added to the agent.

@djsegfault

This comment has been minimized.

Copy link

@djsegfault djsegfault commented Jun 4, 2020

Thank you for the tip on using git@github.com instead of https:// the directions I was following didn't mention that and I couldn't get it to work until I found this

@zhujunsan

This comment has been minimized.

Copy link
Owner Author

@zhujunsan zhujunsan commented Jun 9, 2020

Thank you for the tip on using git@github.com instead of https:// the directions I was following didn't mention that and I couldn't get it to work until I found this

Happy to help : )

@zhujunsan

This comment has been minimized.

Copy link
Owner Author

@zhujunsan zhujunsan commented Jun 9, 2020

Typo: id_rsa ( not id_ras )

  1. add ssh key to repo's "Deploy keys" setting
    cat .ssh/id_ras.pub

should be

cat .ssh/id_rsa.pub

Just saw, fixed, thanks

@asgharhussain

This comment has been minimized.

Copy link

@asgharhussain asgharhussain commented Feb 2, 2021

This works for me, but I dont put in the owner for the git command.

@vbalas

This comment has been minimized.

Copy link

@vbalas vbalas commented Feb 12, 2021

Can you provide the commands for windows also ?

@zhujunsan

This comment has been minimized.

Copy link
Owner Author

@zhujunsan zhujunsan commented Feb 16, 2021

Can you provide the commands for windows also ?

On Windows it's a little bit complicate, which environment do you use? Git from git-scm (which uses mingw as shell environment), git from GitHub (don't know, not using it, but I assume it should be easy to do so as it should be some official docs about this), or wsl(which is almost the same as Linux one)?

@MichaelCurrin

This comment has been minimized.

Copy link

@MichaelCurrin MichaelCurrin commented Feb 22, 2021

Typo fix:

-protocl
+protocol
@zhujunsan

This comment has been minimized.

Copy link
Owner Author

@zhujunsan zhujunsan commented Apr 15, 2021

Typo fix:

-protocl
+protocol

Done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment